On 2/21/22 14:16, Vitaly Zaitsev via devel wrote: > On 21/02/2022 19:25, Demi Marie Obenour wrote: >> FIDO keys are significantly more secure than OTPs, and FAS should get >> support for them. OTPs are still phishable, whereas FIDO2 generally >> isn’t. > > OTP is absolutely free. FIDO2 requires the purchase of a special > hardware token. One must remember that anyone in the packagers group can (with a modicum of effort) get code execution on a huge number of machines, and is thus an incredibly attractive target for phishing attacks. Developing a roadmap to encourage, and eventually require, the use of hardware authenticators to submit packages is a reasonable precaution in this threat environment. A hardware authenticator could be a FIDO2 token, smart card, etc. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
